ICANN: the extent of the impact of the GDPR on WHOIS is uncertain

The Internet Corporation for Assigned Names and Numbers (“ICANN“) published today a statement regarding the ability of registries and registrars to comply with their WHOIS and other contractual requirements related to domain name registration data in light of the European Union’s General Data Protection Regulation (GDPR).

At ICANN60, many community members expressed concerns regarding the ability of registries and registrars to comply with their WHOIS and other contractual requirements related to domain name registration data in light of the European Union’s General Data Protection Regulation (GDPR).

As discussed at ICANN60, the extent of the impact of the GDPR on WHOIS and other contractual requirements related to domain name registration data is uncertain.

At this point, ICANN knows that the GDPR will have an impact on open, publicly available WHOIS. ICANN has no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but they don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.

Here is the complete statement:

At ICANN60, many community members expressed concerns regarding the ability of registries and registrars to comply with their WHOIS and other contractual requirements related to domain name registration data in light of the European Union’s General Data Protection Regulation (GDPR). The contracted parties in particular noted the importance of identifying means to comply with their contractual obligations without running afoul of the GDPR which, beginning 25 May 2018, will include significant monetary penalties for noncompliance. They also indicated that they must begin now with the process of developing, testing and implementing any new solutions that may be necessary if they are to come into compliance with the GDPR by 25 May 2018. Finally, they expressed concern that ICANN Contractual Compliance might find them in breach of their existing contractual requirements related to registration data before clear solutions emerge.

As discussed at ICANN60, the extent of the impact of the GDPR on WHOIS and other contractual requirements related to domain name registration data is uncertain. The ICANN Board, org and community are engaged in multiple efforts to assess the impact of the GDPR on registry and registrar obligations in ICANN agreements and policies, and we continue to work with the Hamilton law firm to understand this impact. At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available. At the same time, we understand that registries and registrars are developing their own models for handling registration data that they believe will comply with the GDPR. We’ve heard some of these ideas as we’ve been engaging and we’d like to understand the details so that we can submit the various models to the Hamilton law firm for further analysis.

During this period of uncertainty, and under the conditions noted below, ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data. To be eligible, a contracted party that intends to deviate from its existing obligations must share its model with ICANN Contractual Compliance and the Global Domains Division. To the extent that the party requests confidential treatment, ICANN will remove any identifying information and share only the elements of the model with the Hamilton law firm for the purpose of legal analysis against the requirements of the GDPR. The model should reflect a reasonable accommodation of existing contractual obligations and the GDPR and should be accompanied by an analysis explaining how the model reconciles the two. For clarity, Contractual Compliance would not defer enforcement if, for example, a contracted party submitted a model under which it abandoned its WHOIS obligations. In addition, a model that satisfies the conditions noted here might also require compliance with other contractual obligations or consensus policies, e.g., the Registry Services Evaluation Policy (RSEP). A model may also require further modifications if it is later determined not to comply either with the GDPR or any future community-developed policy.

Detailed guidance regarding the process and eligibility requirements will be provided shortly.

About Konstantinos Zournas

Konstantinos studied Computer Engineering and Computer Science in London and lives in Athens, Greece. He loves domains and building websites. He is online since 1995, learned about html in 1996 and got into domains in 2002. He started the OnlineDomain.com blog in 2012.